GCP Security Deep Use Cases #2: wanna secure your egress HTTP/S traffic? Use Secure Web Proxy!

Let's concentrate today on Secure Web Proxy use case. It's perfect GCP service if you need to secure your egress web traffic.

Use case: Securing Cloud Run egress HTTP/S traffic with TLS inspection in single VPC

Use case: your company uses Cloud Run services (all deployed in us-east region) as a compute platform for a few Java applications. Currently in your Landing Zone there is only one VPC. In last week you've discovered data leak due to undesired egress traffic from Cloud Run application. You want to controll all egress HTTP/S traffic coming from Cloud Run appplications. You want to have strict control over traffic, including filtering HTTP headers and allowing egress traffic only to specific domains. Additionally you want to ensure that your egress traffic leaves GCP with with defined, static IP addresses. In your Landing Zone there is already Certificate Authority Service used.

Solution architecture for use case:

Quick explanation:

• Secure Web Proxy is the best choice for solution - it's native GCP service for securing egress web traffic.
• Cloud Run is serverless compute platform, so it's running outside VPC. To enforce that all your egress traffic from Cloud Run applications passes through Secure Web Proxy - we need to connect Cloud Run to your VPC. The best way how we can do it is by using Direct VPC egress - it's new networking feature which is GA from 2024. Using Direct VPC egress is much more simpler, serverless and efficient way than using Serverless VPC Access connector.
• Next step is to deploy Secure Web Proxy in us-east region. To reduce administration overhead we can deploy SWP as next hop - we're going to use TLS inspection, so we can use next hop as routing mode. Such routing mode doesn't work for SWP without TLS inspection. After creation of SWP we need to add static route with SWP as next hop (technically speaking using ILB as next hop). As we see in diagram - SWP IP address is 10.0.0.4 and there is static route with destination 0.0.0.0 and next-hop-ilb as 10.0.0.4. This will guarantee that all egress traffic from VPC will be routed to SWP.
• Then to fulfill requirements we need configure Cloud NAT to use defined, static IP addresses. This will guarantee that egress traffic will leave GCP with defined IP addresses.
• We need to be able to filter traffic by HTTP headers, so we need enable TLS inspection for SWP. Currently in Landing Zone there in usage of Certificate Authority Service - so natural choice is to use CAS as private CA. We need to configure root CA and subordinate CA pool and after that configure SWP for TLS inspection. Also we need to add root CA into JVM truststore of our Java applications - without that TLS inspection won't work because Java application won't be able to trust certificates from CAS which will be used by SWP during TLS handshake.
• We need to filter by specific domains - so we should create URL lists with domains that are allowed for specific Cloud Run applications. Each application connects to specific domains - so we should create URL list per each application:

In above example - URL list will allow connecting to example.com and google.com domains for Cloud Run application no 1.

• After creation of URL lists - we need to create SWP policies and associate such policies with SWP instance. Direct VPC for Cloud Run allows for Service Account filtering, so we will use Service Accounts as Cloud Run service identity.

Below rule will allow Cloud Run application with SA "cloud-run-1-sa" to connect to domains from "cloud-run-1-allow-list" URL list (example.com and google.com) when header "Custom" with value "X" will be present in HTTP request. It's possible also to filter e.g. by HTTP request method, path, query or user agent.

We can create policy with rules for each Cloud Run applications and associate such policy with Secure Web Proxy instance:

After that Cloud Run application will be able to connect only to allowed domains.

That's it! As you can see using Secure Web Proxy is very easy. I hope you've enjoyed this article and you've learned a lot about securing egress web traffic with Secure Web Proxy. If yes - please like, subscribe (observe or add me to your connections), share and comment - I will be very grateful for this. A lot of GCP Security Deep Use Cases coming - stay tuned!